Five Remote Flaws Disclosed in Tenda W12 Router — Four Stack Buffer Overflows, Public Exploits Available
Five vulnerabilities, including four stack-based buffer overflows, were disclosed for the Tenda W12 router, all remotely exploitable with public exploit code already circulating.
On May 31, 2026, five vulnerabilities were disclosed together affecting the Tenda W12 wireless router running firmware version 3.0.0.7(4763). The batch, published within a two-hour window, is dominated by four stack-based buffer overflow flaws rated High (CVSSv3 8.8) and one denial-of-service bug rated Medium (CVSSv3 6.5). All five CVEs reside in the /bin/httpd binary — the router's web management interface — and can be triggered remotely, making them especially dangerous for unpatched devices exposed to the internet.
Four of the five CVEs share the same root cause: stack-based buffer overflow in different CGI handler functions within /bin/httpd. CVE-2026-10192 affects the set_local_time_0 function via the Time argument, while CVE-2026-10189 targets cgiSysTimeInfoSet through the sec parameter — both involve time-related settings. CVE-2026-10191 exploits cgiWifiMacFilterSet by manipulating the wifiMacFilterSet.macList.mac argument, and CVE-2026-10188 hits cgistaKickOff via the staMac parameter. The pattern is clear: the web management interface lacks proper bounds checking on user-supplied input across multiple endpoints, allowing an unauthenticated remote attacker to overflow stack buffers and likely achieve code execution.
The fifth vulnerability, CVE-2026-10190, is a denial-of-service flaw in the cgiSysWebTimeoutSet function. Manipulation of the web_over_time argument causes the web management interface to crash. While rated Medium (6.5), it still requires no authentication and can be used to disrupt router administration remotely.
According to the disclosure data, public exploit code is already available for all five CVEs. This significantly raises the risk profile for Tenda W12 owners, as attackers can weaponize these flaws without developing custom tooling. The availability of public exploits, combined with the remote attack vector and lack of authentication requirement, makes this batch a prime candidate for inclusion in botnet or IoT malware campaigns targeting small-office and home routers.
Tenda has not yet released a patched firmware version for the W12 as of the disclosure date. Users running firmware 3.0.0.7(4763) — the only version explicitly named in the advisories — should monitor Tenda's support portal for an update. In the meantime, mitigating steps include disabling remote management access from the WAN side, restricting administrative access to trusted local IPs, and ensuring the router's web interface is not exposed to the internet.
This batch underscores a recurring problem in the consumer router space: a single binary (/bin/httpd) handling multiple CGI endpoints with inconsistent input validation. The fact that four of the five bugs are stack-based buffer overflows suggests a systemic lack of safe string handling in the firmware's web server code. For Tenda W12 users, the window between disclosure and widespread exploitation is likely narrow given the public exploit availability. The vendor's response time will be critical in determining whether these CVEs become a repeat of past IoT botnet waves.